Avoid GitPython CVE-2023-40267

[tvalenta]

Bump GitPython to 3.1.32
Avoids CVE-2023-40267

[sigmavirus24]

We have a lower bound not a pin thus there is nothing required here.

[tvalenta]

Perhaps I misunderstand, and I should have worded that comment better as it wasn't intended as a pinned version. In this case, versions < 3.1.32 are vulnerable, and I was intending to only set the lower-bound to the non-vulnerable version. Did I miss something else?

[sigmavirus24]

Pip will avoid it and anyone doing the bare minimum in managing their dependencies will get this. Dependencies that are not pins (e.g., >=) do not need bumping to avoid issues because we're declaring what the package is compatible with. Many downstreams that repackage bandit will patch older versions to fix CVEs and need the metadata to still allow the older version string

[tvalenta]

Fair enough, and I totally understand that aspect. It was largely from #1048 that I added this PR since this CVE is related to the previous CVE.

In my situation, I'm dealing with a few repositories that use poetry and the vulnerable GitPython version is still in the poetry.lock file. If I updated the pyproject.toml file to with bandit = ">=1.7.5", the poetry.lock file would still be happy with GitPython 3.1.30 and go on their merry way. But as you point out, it's easy enough for me to address this by poking the poetry.lock file in a different path.

[sigmavirus24]

#1048 was merged before I could comment.

[tvalenta]

#1048 was merged before I could comment.

Thanks for that clarification, which makes a bunch of sense.